We chose ZAP for this exercise as it can monitor, intercept, and repeat WebSockets messages. Burp Suite can monitor WebSockets communication; however, it doesn't have the ability to intercept, modify, and replay messages:
- Configure your browser to use ZAP as a proxy, and in ZAP, enable the WebSockets tab by clicking on the plus icon in the bottom panel:
- Now, in the browser go to http://dvws.local/DVWS/ and select Stored XSS from the menu:
- Enter some comments and change to ZAP. In the History tab, look for for a request ...